PkgRadar

Package evidence

[email protected]

Remote Payload: matched "github.com/${REPO}/releases/download"

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherimjustbetterxd
Artifact bytes15,603
Previous version1.1.2
Published2026-05-25T02:40:07.528Z
SHA-256d50cb1099a1b894be2f2055ff9cccca773e7c0e7397bf4a940f287d9603f4e0c

Why flagged

What the scanner saw

Remote Payload: matched "github.com/${REPO}/releases/download"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
24Score
1.1.3Version
Status history (1 event)
  1. newavailable · risk review · score 24 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/cli/bin/codebuff.cjsmatched "github.com/${REPO}/releases/download"12
mediumRemote Payloadpackage/cli/scripts/download-binary.cjsmatched "github.com/' + REPO + '/releases/download"12

Manifest

Package metadata

Scripts16
  • clean-tsfind . -name '*.tsbuildinfo' -type f -delete && find . -name '.next' -type d -exec rm -rf {} + 2>/dev/null || true && find . -name 'node_modules' -type d -exec rm -rf {} + 2>/dev/null || true && bun install
  • cleanup-worktreebun scripts/cleanup-worktree.ts
  • devbun start-cli
  • downbun scripts/stop-services.ts
  • formatprettier --write "**/*.{ts,tsx,json,md}"
  • generate-tool-definitionsbun scripts/generate-tool-definitions.ts
  • init-worktreebun scripts/init-worktree.ts
  • psbun scripts/status-services.ts
  • release:clibun run --cwd=cli release
  • release:sdkbun run --cwd=sdk release
  • start-clibun --cwd cli dev
  • start-dbbun --cwd packages/internal db:start
  • start-studiobun --cwd packages/internal db:studio
  • testbun --filter='{@codebuff/common,@codebuff/agents,@codebuff/agent-runtime,@codebuff/sdk,@codebuff/cli,@codebuff/evals,@codebuff/scripts}' run test
  • typecheckbun scripts/check-env-architecture.ts && bun --filter='*' run typecheck && echo '✅ All type checks passed!'
  • upbun scripts/start-services.ts
Dependencies4
  • @t3-oss/env-nextjs^0.7.3
  • canvas^3.2.0
  • gif-encoder-2^1.0.5
  • zod^4.2.1